Analysis
-
max time kernel
141s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 14:40
Static task
static1
Behavioral task
behavioral1
Sample
06ead5ba61da4779f2c285c0c4579e68_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
06ead5ba61da4779f2c285c0c4579e68_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
06ead5ba61da4779f2c285c0c4579e68_JaffaCakes118.exe
-
Size
495KB
-
MD5
06ead5ba61da4779f2c285c0c4579e68
-
SHA1
4571178883a3beb7a674a5c6bb12a1740f63fac2
-
SHA256
3f3979d9bba4340181a9a25f605d9afda4c47394495fefad5b16095b767eb5ec
-
SHA512
638e72ea0be633a5c8a0e71caf17d3f1ce33341ec71245048f07f4327a085046884b78dc2091768fe7d45c5fba1c0f7d01bab21194e5a98ef554673c0e9ccf41
-
SSDEEP
12288:n1Ra1rN4wopVauKAxZkhwry8NtTirdorym:nDrp4XAx+hwry8TEdoP
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2772 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2580 EntSver.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 06ead5ba61da4779f2c285c0c4579e68_JaffaCakes118.exe File opened for modification \??\PhysicalDrive0 EntSver.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\EntSver.exe 06ead5ba61da4779f2c285c0c4579e68_JaffaCakes118.exe File opened for modification C:\Windows\EntSver.exe 06ead5ba61da4779f2c285c0c4579e68_JaffaCakes118.exe File created C:\Windows\GUOCYOKl.BAT 06ead5ba61da4779f2c285c0c4579e68_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2960 06ead5ba61da4779f2c285c0c4579e68_JaffaCakes118.exe Token: SeDebugPrivilege 2580 EntSver.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2580 EntSver.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2580 wrote to memory of 2208 2580 EntSver.exe 29 PID 2580 wrote to memory of 2208 2580 EntSver.exe 29 PID 2580 wrote to memory of 2208 2580 EntSver.exe 29 PID 2580 wrote to memory of 2208 2580 EntSver.exe 29 PID 2960 wrote to memory of 2772 2960 06ead5ba61da4779f2c285c0c4579e68_JaffaCakes118.exe 30 PID 2960 wrote to memory of 2772 2960 06ead5ba61da4779f2c285c0c4579e68_JaffaCakes118.exe 30 PID 2960 wrote to memory of 2772 2960 06ead5ba61da4779f2c285c0c4579e68_JaffaCakes118.exe 30 PID 2960 wrote to memory of 2772 2960 06ead5ba61da4779f2c285c0c4579e68_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\06ead5ba61da4779f2c285c0c4579e68_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\06ead5ba61da4779f2c285c0c4579e68_JaffaCakes118.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\GUOCYOKl.BAT2⤵
- Deletes itself
PID:2772
-
-
C:\Windows\EntSver.exeC:\Windows\EntSver.exe1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:2208
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
495KB
MD506ead5ba61da4779f2c285c0c4579e68
SHA14571178883a3beb7a674a5c6bb12a1740f63fac2
SHA2563f3979d9bba4340181a9a25f605d9afda4c47394495fefad5b16095b767eb5ec
SHA512638e72ea0be633a5c8a0e71caf17d3f1ce33341ec71245048f07f4327a085046884b78dc2091768fe7d45c5fba1c0f7d01bab21194e5a98ef554673c0e9ccf41
-
Filesize
218B
MD51e58d2fefe538e105345e1ce200cf552
SHA1bbde7f2f77ceb8dcca70b1a1812960e22787b5f2
SHA2562d53fc0097a445256bdd29834c56413217adf235fc994f1ad89619b43c0da342
SHA51235fb8fc538be3d99bc9e13071aa9969cadb9bea0174270a3390f98a48526ef5d8affeccb4cb210e14493d39f39e3319a673168963db72c52b31a2b0cd9d95958